From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 6 May 2018 00:08:08 +0000 (-0700)
Subject: 4.14-stable patches
X-Git-Tag: v4.9.99~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8cb74fcfa1d16a2b5122b5932876d41888110bac;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
	alsa-aloop-mark-paused-device-as-inactive.patch
	alsa-dice-fix-kernel-null-pointer-dereference-due-to-invalid-calculation-for-array-index.patch
	alsa-hda-fix-incorrect-usage-of-is_reachable.patch
	alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
	alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
	ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
	input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
	input-leds-fix-out-of-bound-access.patch
	net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
	rdma-cxgb4-release-hw-resources-on-device-removal.patch
	rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch
	rdma-mlx5-fix-multiple-null-ptr-deref-errors-in-rereg_mr-flow.patch
	rdma-mlx5-protect-from-shift-operand-overflow.patch
	rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
	rtlwifi-cleanup-8723be-ant_sel-definition.patch
	scsi-target-fix-fortify_panic-kernel-exception.patch
	tracepoint-do-not-warn-on-enomem.patch
	xfs-prevent-creating-negative-sized-file-via-insert_range.patch
---

diff --git a/queue-4.14/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch b/queue-4.14/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
new file mode 100644
index 00000000000..875d3533997
--- /dev/null
+++ b/queue-4.14/alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
@@ -0,0 +1,112 @@
+From 76b3421b39bd610546931fc923edcf90c18fa395 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 30 Apr 2018 10:06:48 +0200
+Subject: ALSA: aloop: Add missing cable lock to ctl API callbacks
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 76b3421b39bd610546931fc923edcf90c18fa395 upstream.
+
+Some control API callbacks in aloop driver are too lazy to take the
+loopback->cable_lock and it results in possible races of cable access
+while it's being freed.  It eventually lead to a UAF, as reported by
+fuzzer recently.
+
+This patch covers such control API callbacks and add the proper mutex
+locks.
+
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c |   17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -832,9 +832,11 @@ static int loopback_rate_shift_get(struc
+ {
+ 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+ 	
++	mutex_lock(&loopback->cable_lock);
+ 	ucontrol->value.integer.value[0] =
+ 		loopback->setup[kcontrol->id.subdevice]
+ 			       [kcontrol->id.device].rate_shift;
++	mutex_unlock(&loopback->cable_lock);
+ 	return 0;
+ }
+ 
+@@ -866,9 +868,11 @@ static int loopback_notify_get(struct sn
+ {
+ 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+ 	
++	mutex_lock(&loopback->cable_lock);
+ 	ucontrol->value.integer.value[0] =
+ 		loopback->setup[kcontrol->id.subdevice]
+ 			       [kcontrol->id.device].notify;
++	mutex_unlock(&loopback->cable_lock);
+ 	return 0;
+ }
+ 
+@@ -880,12 +884,14 @@ static int loopback_notify_put(struct sn
+ 	int change = 0;
+ 
+ 	val = ucontrol->value.integer.value[0] ? 1 : 0;
++	mutex_lock(&loopback->cable_lock);
+ 	if (val != loopback->setup[kcontrol->id.subdevice]
+ 				[kcontrol->id.device].notify) {
+ 		loopback->setup[kcontrol->id.subdevice]
+ 			[kcontrol->id.device].notify = val;
+ 		change = 1;
+ 	}
++	mutex_unlock(&loopback->cable_lock);
+ 	return change;
+ }
+ 
+@@ -893,15 +899,18 @@ static int loopback_active_get(struct sn
+ 			       struct snd_ctl_elem_value *ucontrol)
+ {
+ 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+-	struct loopback_cable *cable = loopback->cables
+-			[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
++	struct loopback_cable *cable;
++
+ 	unsigned int val = 0;
+ 
++	mutex_lock(&loopback->cable_lock);
++	cable = loopback->cables[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ 	if (cable != NULL) {
+ 		unsigned int running = cable->running ^ cable->pause;
+ 
+ 		val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
+ 	}
++	mutex_unlock(&loopback->cable_lock);
+ 	ucontrol->value.integer.value[0] = val;
+ 	return 0;
+ }
+@@ -944,9 +953,11 @@ static int loopback_rate_get(struct snd_
+ {
+ 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+ 	
++	mutex_lock(&loopback->cable_lock);
+ 	ucontrol->value.integer.value[0] =
+ 		loopback->setup[kcontrol->id.subdevice]
+ 			       [kcontrol->id.device].rate;
++	mutex_unlock(&loopback->cable_lock);
+ 	return 0;
+ }
+ 
+@@ -966,9 +977,11 @@ static int loopback_channels_get(struct
+ {
+ 	struct loopback *loopback = snd_kcontrol_chip(kcontrol);
+ 	
++	mutex_lock(&loopback->cable_lock);
+ 	ucontrol->value.integer.value[0] =
+ 		loopback->setup[kcontrol->id.subdevice]
+ 			       [kcontrol->id.device].channels;
++	mutex_unlock(&loopback->cable_lock);
+ 	return 0;
+ }
+ 
diff --git a/queue-4.14/alsa-aloop-mark-paused-device-as-inactive.patch b/queue-4.14/alsa-aloop-mark-paused-device-as-inactive.patch
new file mode 100644
index 00000000000..8355dcfc3ec
--- /dev/null
+++ b/queue-4.14/alsa-aloop-mark-paused-device-as-inactive.patch
@@ -0,0 +1,59 @@
+From 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 Mon Sep 17 00:00:00 2001
+From: Robert Rosengren <robert.rosengren@axis.com>
+Date: Mon, 26 Mar 2018 07:24:49 +0200
+Subject: ALSA: aloop: Mark paused device as inactive
+
+From: Robert Rosengren <robert.rosengren@axis.com>
+
+commit 306a4f3ca7f3c7dfa473ebd19d66e40e59d99734 upstream.
+
+Show paused ALSA aloop device as inactive, i.e. the control
+"PCM Slave Active" set as false. Notification sent upon state change.
+
+This makes it possible for client capturing from aloop device to know if
+data is expected. Without it the client expects data even if playback
+is paused.
+
+Signed-off-by: Robert Rosengren <robert.rosengren@axis.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/drivers/aloop.c |   12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/sound/drivers/aloop.c
++++ b/sound/drivers/aloop.c
+@@ -296,6 +296,8 @@ static int loopback_trigger(struct snd_p
+ 		cable->pause |= stream;
+ 		loopback_timer_stop(dpcm);
+ 		spin_unlock(&cable->lock);
++		if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++			loopback_active_notify(dpcm);
+ 		break;
+ 	case SNDRV_PCM_TRIGGER_PAUSE_RELEASE:
+ 	case SNDRV_PCM_TRIGGER_RESUME:
+@@ -304,6 +306,8 @@ static int loopback_trigger(struct snd_p
+ 		cable->pause &= ~stream;
+ 		loopback_timer_start(dpcm);
+ 		spin_unlock(&cable->lock);
++		if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK)
++			loopback_active_notify(dpcm);
+ 		break;
+ 	default:
+ 		return -EINVAL;
+@@ -893,9 +897,11 @@ static int loopback_active_get(struct sn
+ 			[kcontrol->id.subdevice][kcontrol->id.device ^ 1];
+ 	unsigned int val = 0;
+ 
+-	if (cable != NULL)
+-		val = (cable->running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ?
+-									1 : 0;
++	if (cable != NULL) {
++		unsigned int running = cable->running ^ cable->pause;
++
++		val = (running & (1 << SNDRV_PCM_STREAM_PLAYBACK)) ? 1 : 0;
++	}
+ 	ucontrol->value.integer.value[0] = val;
+ 	return 0;
+ }
diff --git a/queue-4.14/alsa-dice-fix-kernel-null-pointer-dereference-due-to-invalid-calculation-for-array-index.patch b/queue-4.14/alsa-dice-fix-kernel-null-pointer-dereference-due-to-invalid-calculation-for-array-index.patch
new file mode 100644
index 00000000000..a02dafd8c07
--- /dev/null
+++ b/queue-4.14/alsa-dice-fix-kernel-null-pointer-dereference-due-to-invalid-calculation-for-array-index.patch
@@ -0,0 +1,140 @@
+From 52759c0963510a2843774aac9b65ccaed3308dc0 Mon Sep 17 00:00:00 2001
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Date: Sun, 29 Apr 2018 15:01:46 +0900
+Subject: ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index
+
+From: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+
+commit 52759c0963510a2843774aac9b65ccaed3308dc0 upstream.
+
+At a commit f91c9d7610a ('ALSA: firewire-lib: cache maximum length of
+payload to reduce function calls'), maximum size of payload for tx
+isochronous packet is cached to reduce the number of function calls.
+
+This cache was programmed to updated at a first callback of ohci1394 IR
+context. However, the maximum size is required to queueing packets before
+starting the isochronous context.
+
+As a result, the cached value is reused to queue packets in next time to
+starting the isochronous context. Then the cache is updated in a first
+callback of the isochronous context. This can cause kernel NULL pointer
+dereference in a below call graph:
+
+(sound/firewire/amdtp-stream.c)
+amdtp_stream_start()
+->queue_in_packet()
+  ->queue_packet()
+    (drivers/firewire/core-iso.c)
+    ->fw_iso_context_queue()
+      ->struct fw_card_driver.queue_iso()
+      (drivers/firewire/ohci.c)
+      = ohci_queue_iso()
+        ->queue_iso_packet_per_buffer()
+          buffer->pages[page]
+
+The issued dereference occurs in a case that:
+ - target unit supports different stream formats for sampling transmission
+   frequency.
+ - maximum length of payload for tx stream in a first trial is bigger
+   than the length in a second trial.
+
+In this case, correct number of pages are allocated for DMA and the 'pages'
+array has enough elements, while index of the element is wrongly calculated
+according to the old value of length of payload in a call of
+'queue_in_packet()'. Then it causes the issue.
+
+This commit fixes the critical bug. This affects all of drivers in ALSA
+firewire stack in Linux kernel v4.12 or later.
+
+[12665.302360] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
+[12665.302415] IP: ohci_queue_iso+0x47c/0x800 [firewire_ohci]
+[12665.302439] PGD 0
+[12665.302440] P4D 0
+[12665.302450]
+[12665.302470] Oops: 0000 [#1] SMP PTI
+[12665.302487] Modules linked in: ...
+[12665.303096] CPU: 1 PID: 12760 Comm: jackd Tainted: P           OE   4.13.0-38-generic #43-Ubuntu
+[12665.303154] Hardware name:                  /DH77DF, BIOS KCH7710H.86A.0069.2012.0224.1825 02/24/2012
+[12665.303215] task: ffff9ce87da2ae80 task.stack: ffffb5b8823d0000
+[12665.303258] RIP: 0010:ohci_queue_iso+0x47c/0x800 [firewire_ohci]
+[12665.303301] RSP: 0018:ffffb5b8823d3ab8 EFLAGS: 00010086
+[12665.303337] RAX: ffff9ce4f4876930 RBX: 0000000000000008 RCX: ffff9ce88a3955e0
+[12665.303384] RDX: 0000000000000000 RSI: 0000000034877f00 RDI: 0000000000000000
+[12665.303427] RBP: ffffb5b8823d3b68 R08: ffff9ce8ccb390a0 R09: ffff9ce877639ab0
+[12665.303475] R10: 0000000000000108 R11: 0000000000000000 R12: 0000000000000003
+[12665.303513] R13: 0000000000000000 R14: ffff9ce4f4876950 R15: 0000000000000000
+[12665.303554] FS:  00007f2ec467f8c0(0000) GS:ffff9ce8df280000(0000) knlGS:0000000000000000
+[12665.303600] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[12665.303633] CR2: 0000000000000030 CR3: 00000002dcf90004 CR4: 00000000000606e0
+[12665.303674] Call Trace:
+[12665.303698]  fw_iso_context_queue+0x18/0x20 [firewire_core]
+[12665.303735]  queue_packet+0x88/0xe0 [snd_firewire_lib]
+[12665.303770]  amdtp_stream_start+0x19b/0x270 [snd_firewire_lib]
+[12665.303811]  start_streams+0x276/0x3c0 [snd_dice]
+[12665.303840]  snd_dice_stream_start_duplex+0x1bf/0x480 [snd_dice]
+[12665.303882]  ? vma_gap_callbacks_rotate+0x1e/0x30
+[12665.303914]  ? __rb_insert_augmented+0xab/0x240
+[12665.303936]  capture_prepare+0x3c/0x70 [snd_dice]
+[12665.303961]  snd_pcm_do_prepare+0x1d/0x30 [snd_pcm]
+[12665.303985]  snd_pcm_action_single+0x3b/0x90 [snd_pcm]
+[12665.304009]  snd_pcm_action_nonatomic+0x68/0x70 [snd_pcm]
+[12665.304035]  snd_pcm_prepare+0x68/0x90 [snd_pcm]
+[12665.304058]  snd_pcm_common_ioctl1+0x4c0/0x940 [snd_pcm]
+[12665.304083]  snd_pcm_capture_ioctl1+0x19b/0x250 [snd_pcm]
+[12665.304108]  snd_pcm_capture_ioctl+0x27/0x40 [snd_pcm]
+[12665.304131]  do_vfs_ioctl+0xa8/0x630
+[12665.304148]  ? entry_SYSCALL_64_after_hwframe+0xe9/0x139
+[12665.304172]  ? entry_SYSCALL_64_after_hwframe+0xe2/0x139
+[12665.304195]  ? entry_SYSCALL_64_after_hwframe+0xdb/0x139
+[12665.304218]  ? entry_SYSCALL_64_after_hwframe+0xd4/0x139
+[12665.304242]  ? entry_SYSCALL_64_after_hwframe+0xcd/0x139
+[12665.304265]  ? entry_SYSCALL_64_after_hwframe+0xc6/0x139
+[12665.304288]  ? entry_SYSCALL_64_after_hwframe+0xbf/0x139
+[12665.304312]  ? entry_SYSCALL_64_after_hwframe+0xb8/0x139
+[12665.304335]  ? entry_SYSCALL_64_after_hwframe+0xb1/0x139
+[12665.304358]  SyS_ioctl+0x79/0x90
+[12665.304374]  ? entry_SYSCALL_64_after_hwframe+0x72/0x139
+[12665.304397]  entry_SYSCALL_64_fastpath+0x24/0xab
+[12665.304417] RIP: 0033:0x7f2ec3750ef7
+[12665.304433] RSP: 002b:00007fff99e31388 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+[12665.304465] RAX: ffffffffffffffda RBX: 00007fff99e312f0 RCX: 00007f2ec3750ef7
+[12665.304494] RDX: 0000000000000000 RSI: 0000000000004140 RDI: 0000000000000007
+[12665.304522] RBP: 0000556ebc63fd60 R08: 0000556ebc640560 R09: 0000000000000000
+[12665.304553] R10: 0000000000000001 R11: 0000000000000246 R12: 0000556ebc63fcf0
+[12665.304584] R13: 0000000000000000 R14: 0000000000000007 R15: 0000000000000000
+[12665.304612] Code: 01 00 00 44 89 eb 45 31 ed 45 31 db 66 41 89 1e 66 41 89 5e 0c 66 45 89 5e 0e 49 8b 49 08 49 63 d4 4d 85 c0 49 63 ff 48 8b 14 d1 <48> 8b 72 30 41 8d 14 37 41 89 56 04 48 63 d3 0f 84 ce 00 00 00
+[12665.304713] RIP: ohci_queue_iso+0x47c/0x800 [firewire_ohci] RSP: ffffb5b8823d3ab8
+[12665.304743] CR2: 0000000000000030
+[12665.317701] ---[ end trace 9d55b056dd52a19f ]---
+
+Fixes: f91c9d7610a ('ALSA: firewire-lib: cache maximum length of payload to reduce function calls')
+Cc: <stable@vger.kernel.org> # v4.12+
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/firewire/amdtp-stream.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/sound/firewire/amdtp-stream.c
++++ b/sound/firewire/amdtp-stream.c
+@@ -773,8 +773,6 @@ static void amdtp_stream_first_callback(
+ 	u32 cycle;
+ 	unsigned int packets;
+ 
+-	s->max_payload_length = amdtp_stream_get_max_payload(s);
+-
+ 	/*
+ 	 * For in-stream, first packet has come.
+ 	 * For out-stream, prepared to transmit first packet
+@@ -879,6 +877,9 @@ int amdtp_stream_start(struct amdtp_stre
+ 
+ 	amdtp_stream_update(s);
+ 
++	if (s->direction == AMDTP_IN_STREAM)
++		s->max_payload_length = amdtp_stream_get_max_payload(s);
++
+ 	if (s->flags & CIP_NO_HEADER)
+ 		s->tag = TAG_NO_CIP_HEADER;
+ 	else
diff --git a/queue-4.14/alsa-hda-fix-incorrect-usage-of-is_reachable.patch b/queue-4.14/alsa-hda-fix-incorrect-usage-of-is_reachable.patch
new file mode 100644
index 00000000000..67c414ae95a
--- /dev/null
+++ b/queue-4.14/alsa-hda-fix-incorrect-usage-of-is_reachable.patch
@@ -0,0 +1,34 @@
+From 6a30abaa40b62aed46ef12ea4c16c48565bdb376 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 27 Apr 2018 17:17:35 +0200
+Subject: ALSA: hda - Fix incorrect usage of IS_REACHABLE()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 6a30abaa40b62aed46ef12ea4c16c48565bdb376 upstream.
+
+The commit c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for
+dependency on input") simplified the dependencies with IS_REACHABLE()
+macro, but it broke due to its incorrect usage: it should have been
+IS_REACHABLE(CONFIG_INPUT) instead of IS_REACHABLE(INPUT).
+
+Fixes: c469652bb5e8 ("ALSA: hda - Use IS_REACHABLE() for dependency on input")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -3722,7 +3722,7 @@ static void alc280_fixup_hp_gpio4(struct
+ 	}
+ }
+ 
+-#if IS_REACHABLE(INPUT)
++#if IS_REACHABLE(CONFIG_INPUT)
+ static void gpio2_mic_hotkey_event(struct hda_codec *codec,
+ 				   struct hda_jack_callback *event)
+ {
diff --git a/queue-4.14/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch b/queue-4.14/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
new file mode 100644
index 00000000000..05b6c3cc550
--- /dev/null
+++ b/queue-4.14/alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
@@ -0,0 +1,38 @@
+From f13876e2c33a657a71bcbb10f767c0951b165020 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 May 2018 08:48:46 +0200
+Subject: ALSA: pcm: Check PCM state at xfern compat ioctl
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f13876e2c33a657a71bcbb10f767c0951b165020 upstream.
+
+Since snd_pcm_ioctl_xfern_compat() has no PCM state check, it may go
+further and hit the sanity check pcm_sanity_check() when the ioctl is
+called right after open.  It may eventually spew a kernel warning, as
+triggered by syzbot, depending on kconfig.
+
+The lack of PCM state check there was just an oversight.  Although
+it's no real crash, the spurious kernel warning is annoying, so let's
+add the proper check.
+
+Reported-by: syzbot+1dac3a4f6bc9c1c675d4@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/pcm_compat.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/core/pcm_compat.c
++++ b/sound/core/pcm_compat.c
+@@ -423,6 +423,8 @@ static int snd_pcm_ioctl_xfern_compat(st
+ 		return -ENOTTY;
+ 	if (substream->stream != dir)
+ 		return -EINVAL;
++	if (substream->runtime->status->state == SNDRV_PCM_STATE_OPEN)
++		return -EBADFD;
+ 
+ 	if ((ch = substream->runtime->channels) > 128)
+ 		return -EINVAL;
diff --git a/queue-4.14/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch b/queue-4.14/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
new file mode 100644
index 00000000000..98af4cabd0f
--- /dev/null
+++ b/queue-4.14/alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
@@ -0,0 +1,53 @@
+From 8f22e52528cc372b218b5f100457469615c733ce Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Thu, 26 Apr 2018 09:17:45 +0200
+Subject: ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 8f22e52528cc372b218b5f100457469615c733ce upstream.
+
+The sequencer virmidi code has an open race at its output trigger
+callback: namely, virmidi keeps only one event packet for processing
+while it doesn't protect for concurrent output trigger calls.
+
+snd_virmidi_output_trigger() tries to process the previously
+unfinished event before starting encoding the given MIDI stream, but
+this is done without any lock.  Meanwhile, if another rawmidi stream
+starts the output trigger, this proceeds further, and overwrites the
+event package that is being processed in another thread.  This
+eventually corrupts and may lead to the invalid memory access if the
+event type is like SYSEX.
+
+The fix is just to move the spinlock to cover both the pending event
+and the new stream.
+
+The bug was spotted by a new fuzzer, RaceFuzzer.
+
+BugLink: http://lkml.kernel.org/r/20180426045223.GA15307@dragonet.kaist.ac.kr
+Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_virmidi.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/sound/core/seq/seq_virmidi.c
++++ b/sound/core/seq/seq_virmidi.c
+@@ -174,12 +174,12 @@ static void snd_virmidi_output_trigger(s
+ 			}
+ 			return;
+ 		}
++		spin_lock_irqsave(&substream->runtime->lock, flags);
+ 		if (vmidi->event.type != SNDRV_SEQ_EVENT_NONE) {
+ 			if (snd_seq_kernel_client_dispatch(vmidi->client, &vmidi->event, in_atomic(), 0) < 0)
+-				return;
++				goto out;
+ 			vmidi->event.type = SNDRV_SEQ_EVENT_NONE;
+ 		}
+-		spin_lock_irqsave(&substream->runtime->lock, flags);
+ 		while (1) {
+ 			count = __snd_rawmidi_transmit_peek(substream, buf, sizeof(buf));
+ 			if (count <= 0)
diff --git a/queue-4.14/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch b/queue-4.14/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
new file mode 100644
index 00000000000..8ba82028505
--- /dev/null
+++ b/queue-4.14/ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
@@ -0,0 +1,58 @@
+From 4f32ac2e452c2180cd2df581cbadac183e27ecd0 Mon Sep 17 00:00:00 2001
+From: Danit Goldberg <danitg@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:54 +0300
+Subject: IB/mlx5: Use unlimited rate when static rate is not supported
+
+From: Danit Goldberg <danitg@mellanox.com>
+
+commit 4f32ac2e452c2180cd2df581cbadac183e27ecd0 upstream.
+
+Before the change, if the user passed a static rate value different
+than zero and the FW doesn't support static rate,
+it would end up configuring rate of 2.5 GBps.
+
+Fix this by using rate 0; unlimited, in cases where FW
+doesn't support static rate configuration.
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Reviewed-by: Majd Dibbiny <majd@mellanox.com>
+Signed-off-by: Danit Goldberg <danitg@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c |   18 +++++++++---------
+ 1 file changed, 9 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -2199,18 +2199,18 @@ enum {
+ 
+ static int ib_rate_to_mlx5(struct mlx5_ib_dev *dev, u8 rate)
+ {
+-	if (rate == IB_RATE_PORT_CURRENT) {
++	if (rate == IB_RATE_PORT_CURRENT)
+ 		return 0;
+-	} else if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS) {
++
++	if (rate < IB_RATE_2_5_GBPS || rate > IB_RATE_300_GBPS)
+ 		return -EINVAL;
+-	} else {
+-		while (rate != IB_RATE_2_5_GBPS &&
+-		       !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
+-			 MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
+-			--rate;
+-	}
+ 
+-	return rate + MLX5_STAT_RATE_OFFSET;
++	while (rate != IB_RATE_PORT_CURRENT &&
++	       !(1 << (rate + MLX5_STAT_RATE_OFFSET) &
++		 MLX5_CAP_GEN(dev->mdev, stat_rate_support)))
++		--rate;
++
++	return rate ? rate + MLX5_STAT_RATE_OFFSET : rate;
+ }
+ 
+ static int modify_raw_packet_eth_prio(struct mlx5_core_dev *dev,
diff --git a/queue-4.14/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch b/queue-4.14/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
new file mode 100644
index 00000000000..aa4a1862b12
--- /dev/null
+++ b/queue-4.14/input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
@@ -0,0 +1,46 @@
+From f372b81101e6895252298e563d634d5e44ae81e7 Mon Sep 17 00:00:00 2001
+From: "Vittorio Gambaletta (VittGam)" <linuxbugs@vittgam.net>
+Date: Wed, 25 Apr 2018 15:22:13 -0700
+Subject: Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro
+
+From: Vittorio Gambaletta (VittGam) <linuxbugs@vittgam.net>
+
+commit f372b81101e6895252298e563d634d5e44ae81e7 upstream.
+
+This patch adds the correct platform data information for the Caroline
+Chromebook, so that the mouse button does not get stuck in pressed state
+after the first click.
+
+The Samus button keymap and platform data definition are the correct
+ones for Caroline, so they have been reused here.
+
+Signed-off-by: Vittorio Gambaletta <linuxbugs@vittgam.net>
+Signed-off-by: Salvatore Bellizzi <lkml@seppia.net>
+Tested-by: Guenter Roeck <groeck@chromium.org>
+Cc: stable@vger.kernel.org
+[dtor: adjusted vendor spelling to match shipping firmware]
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -3031,6 +3031,15 @@ static const struct dmi_system_id mxt_dm
+ 		.driver_data = samus_platform_data,
+ 	},
+ 	{
++		/* Samsung Chromebook Pro */
++		.ident = "Samsung Chromebook Pro",
++		.matches = {
++			DMI_MATCH(DMI_SYS_VENDOR, "Google"),
++			DMI_MATCH(DMI_PRODUCT_NAME, "Caroline"),
++		},
++		.driver_data = samus_platform_data,
++	},
++	{
+ 		/* Other Google Chromebooks */
+ 		.ident = "Chromebook",
+ 		.matches = {
diff --git a/queue-4.14/input-leds-fix-out-of-bound-access.patch b/queue-4.14/input-leds-fix-out-of-bound-access.patch
new file mode 100644
index 00000000000..1371b0e50af
--- /dev/null
+++ b/queue-4.14/input-leds-fix-out-of-bound-access.patch
@@ -0,0 +1,56 @@
+From 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Fri, 6 Apr 2018 10:23:05 -0700
+Subject: Input: leds - fix out of bound access
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 6bd6ae639683c0b41f46990d5c64ff9fbfa019dc upstream.
+
+UI_SET_LEDBIT ioctl() causes the following KASAN splat when used with
+led > LED_CHARGING:
+
+[ 1274.663418] BUG: KASAN: slab-out-of-bounds in input_leds_connect+0x611/0x730 [input_leds]
+[ 1274.663426] Write of size 8 at addr ffff88003377b2c0 by task ckb-next-daemon/5128
+
+This happens because we were writing to the led structure before making
+sure that it exists.
+
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input-leds.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/input-leds.c
++++ b/drivers/input/input-leds.c
+@@ -88,6 +88,7 @@ static int input_leds_connect(struct inp
+ 			      const struct input_device_id *id)
+ {
+ 	struct input_leds *leds;
++	struct input_led *led;
+ 	unsigned int num_leds;
+ 	unsigned int led_code;
+ 	int led_no;
+@@ -119,14 +120,13 @@ static int input_leds_connect(struct inp
+ 
+ 	led_no = 0;
+ 	for_each_set_bit(led_code, dev->ledbit, LED_CNT) {
+-		struct input_led *led = &leds->leds[led_no];
++		if (!input_led_info[led_code].name)
++			continue;
+ 
++		led = &leds->leds[led_no];
+ 		led->handle = &leds->handle;
+ 		led->code = led_code;
+ 
+-		if (!input_led_info[led_code].name)
+-			continue;
+-
+ 		led->cdev.name = kasprintf(GFP_KERNEL, "%s::%s",
+ 					   dev_name(&dev->dev),
+ 					   input_led_info[led_code].name);
diff --git a/queue-4.14/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch b/queue-4.14/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
new file mode 100644
index 00000000000..df6822ee328
--- /dev/null
+++ b/queue-4.14/net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
@@ -0,0 +1,43 @@
+From 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?SZ=20Lin=20=28=E6=9E=97=E4=B8=8A=E6=99=BA=29?=
+ <sz.lin@moxa.com>
+Date: Thu, 26 Apr 2018 14:30:13 +0800
+Subject: NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: SZ Lin (林上智) <sz.lin@moxa.com>
+
+commit 9306b38e42cb266f98bff6f6f4c1c652aa79ba45 upstream.
+
+This patch adds support for PID 0x90b2 of ublox R410M.
+
+qmicli -d /dev/cdc-wdm0 --dms-get-manufacturer
+[/dev/cdc-wdm0] Device manufacturer retrieved:
+        Manufacturer: 'u-blox'
+
+qmicli -d /dev/cdc-wdm0 --dms-get-model
+[/dev/cdc-wdm0] Device model retrieved:
+        Model: 'SARA-R410M-02B'
+
+Signed-off-by: SZ Lin (林上智) <sz.lin@moxa.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/qmi_wwan.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/qmi_wwan.c
++++ b/drivers/net/usb/qmi_wwan.c
+@@ -1098,6 +1098,7 @@ static const struct usb_device_id produc
+ 	{QMI_FIXED_INTF(0x05c6, 0x9080, 8)},
+ 	{QMI_FIXED_INTF(0x05c6, 0x9083, 3)},
+ 	{QMI_FIXED_INTF(0x05c6, 0x9084, 4)},
++	{QMI_FIXED_INTF(0x05c6, 0x90b2, 3)},    /* ublox R410M */
+ 	{QMI_FIXED_INTF(0x05c6, 0x920d, 0)},
+ 	{QMI_FIXED_INTF(0x05c6, 0x920d, 5)},
+ 	{QMI_QUIRK_SET_DTR(0x05c6, 0x9625, 4)},	/* YUGA CLM920-NC5 */
diff --git a/queue-4.14/rdma-cxgb4-release-hw-resources-on-device-removal.patch b/queue-4.14/rdma-cxgb4-release-hw-resources-on-device-removal.patch
new file mode 100644
index 00000000000..3e1a1ce3d15
--- /dev/null
+++ b/queue-4.14/rdma-cxgb4-release-hw-resources-on-device-removal.patch
@@ -0,0 +1,156 @@
+From 26bff1bd74a4f7417509a83295614e9dab995b2a Mon Sep 17 00:00:00 2001
+From: Raju Rangoju <rajur@chelsio.com>
+Date: Mon, 23 Apr 2018 21:42:37 +0530
+Subject: RDMA/cxgb4: release hw resources on device removal
+
+From: Raju Rangoju <rajur@chelsio.com>
+
+commit 26bff1bd74a4f7417509a83295614e9dab995b2a upstream.
+
+The c4iw_rdev_close() logic was not releasing all the hw
+resources (PBL and RQT memory) during the device removal
+event (driver unload / system reboot). This can cause panic
+in gen_pool_destroy().
+
+The module remove function will wait for all the hw
+resources to be released during the device removal event.
+
+Fixes c12a67fe(iw_cxgb4: free EQ queue memory on last deref)
+Signed-off-by: Raju Rangoju <rajur@chelsio.com>
+Reviewed-by: Steve Wise <swise@opengridcomputing.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/cxgb4/device.c   |    9 ++++++++-
+ drivers/infiniband/hw/cxgb4/iw_cxgb4.h |    4 ++++
+ drivers/infiniband/hw/cxgb4/resource.c |   26 ++++++++++++++++++++++++--
+ 3 files changed, 36 insertions(+), 3 deletions(-)
+
+--- a/drivers/infiniband/hw/cxgb4/device.c
++++ b/drivers/infiniband/hw/cxgb4/device.c
+@@ -884,6 +884,11 @@ static int c4iw_rdev_open(struct c4iw_rd
+ 
+ 	rdev->status_page->db_off = 0;
+ 
++	init_completion(&rdev->rqt_compl);
++	init_completion(&rdev->pbl_compl);
++	kref_init(&rdev->rqt_kref);
++	kref_init(&rdev->pbl_kref);
++
+ 	return 0;
+ err_free_status_page_and_wr_log:
+ 	if (c4iw_wr_log && rdev->wr_log)
+@@ -902,13 +907,15 @@ destroy_resource:
+ 
+ static void c4iw_rdev_close(struct c4iw_rdev *rdev)
+ {
+-	destroy_workqueue(rdev->free_workq);
+ 	kfree(rdev->wr_log);
+ 	c4iw_release_dev_ucontext(rdev, &rdev->uctx);
+ 	free_page((unsigned long)rdev->status_page);
+ 	c4iw_pblpool_destroy(rdev);
+ 	c4iw_rqtpool_destroy(rdev);
++	wait_for_completion(&rdev->pbl_compl);
++	wait_for_completion(&rdev->rqt_compl);
+ 	c4iw_ocqp_pool_destroy(rdev);
++	destroy_workqueue(rdev->free_workq);
+ 	c4iw_destroy_resource(&rdev->resource);
+ }
+ 
+--- a/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
++++ b/drivers/infiniband/hw/cxgb4/iw_cxgb4.h
+@@ -185,6 +185,10 @@ struct c4iw_rdev {
+ 	struct wr_log_entry *wr_log;
+ 	int wr_log_size;
+ 	struct workqueue_struct *free_workq;
++	struct completion rqt_compl;
++	struct completion pbl_compl;
++	struct kref rqt_kref;
++	struct kref pbl_kref;
+ };
+ 
+ static inline int c4iw_fatal_error(struct c4iw_rdev *rdev)
+--- a/drivers/infiniband/hw/cxgb4/resource.c
++++ b/drivers/infiniband/hw/cxgb4/resource.c
+@@ -260,12 +260,22 @@ u32 c4iw_pblpool_alloc(struct c4iw_rdev
+ 		rdev->stats.pbl.cur += roundup(size, 1 << MIN_PBL_SHIFT);
+ 		if (rdev->stats.pbl.cur > rdev->stats.pbl.max)
+ 			rdev->stats.pbl.max = rdev->stats.pbl.cur;
++		kref_get(&rdev->pbl_kref);
+ 	} else
+ 		rdev->stats.pbl.fail++;
+ 	mutex_unlock(&rdev->stats.lock);
+ 	return (u32)addr;
+ }
+ 
++static void destroy_pblpool(struct kref *kref)
++{
++	struct c4iw_rdev *rdev;
++
++	rdev = container_of(kref, struct c4iw_rdev, pbl_kref);
++	gen_pool_destroy(rdev->pbl_pool);
++	complete(&rdev->pbl_compl);
++}
++
+ void c4iw_pblpool_free(struct c4iw_rdev *rdev, u32 addr, int size)
+ {
+ 	pr_debug("%s addr 0x%x size %d\n", __func__, addr, size);
+@@ -273,6 +283,7 @@ void c4iw_pblpool_free(struct c4iw_rdev
+ 	rdev->stats.pbl.cur -= roundup(size, 1 << MIN_PBL_SHIFT);
+ 	mutex_unlock(&rdev->stats.lock);
+ 	gen_pool_free(rdev->pbl_pool, (unsigned long)addr, size);
++	kref_put(&rdev->pbl_kref, destroy_pblpool);
+ }
+ 
+ int c4iw_pblpool_create(struct c4iw_rdev *rdev)
+@@ -310,7 +321,7 @@ int c4iw_pblpool_create(struct c4iw_rdev
+ 
+ void c4iw_pblpool_destroy(struct c4iw_rdev *rdev)
+ {
+-	gen_pool_destroy(rdev->pbl_pool);
++	kref_put(&rdev->pbl_kref, destroy_pblpool);
+ }
+ 
+ /*
+@@ -331,12 +342,22 @@ u32 c4iw_rqtpool_alloc(struct c4iw_rdev
+ 		rdev->stats.rqt.cur += roundup(size << 6, 1 << MIN_RQT_SHIFT);
+ 		if (rdev->stats.rqt.cur > rdev->stats.rqt.max)
+ 			rdev->stats.rqt.max = rdev->stats.rqt.cur;
++		kref_get(&rdev->rqt_kref);
+ 	} else
+ 		rdev->stats.rqt.fail++;
+ 	mutex_unlock(&rdev->stats.lock);
+ 	return (u32)addr;
+ }
+ 
++static void destroy_rqtpool(struct kref *kref)
++{
++	struct c4iw_rdev *rdev;
++
++	rdev = container_of(kref, struct c4iw_rdev, rqt_kref);
++	gen_pool_destroy(rdev->rqt_pool);
++	complete(&rdev->rqt_compl);
++}
++
+ void c4iw_rqtpool_free(struct c4iw_rdev *rdev, u32 addr, int size)
+ {
+ 	pr_debug("%s addr 0x%x size %d\n", __func__, addr, size << 6);
+@@ -344,6 +365,7 @@ void c4iw_rqtpool_free(struct c4iw_rdev
+ 	rdev->stats.rqt.cur -= roundup(size << 6, 1 << MIN_RQT_SHIFT);
+ 	mutex_unlock(&rdev->stats.lock);
+ 	gen_pool_free(rdev->rqt_pool, (unsigned long)addr, size << 6);
++	kref_put(&rdev->rqt_kref, destroy_rqtpool);
+ }
+ 
+ int c4iw_rqtpool_create(struct c4iw_rdev *rdev)
+@@ -380,7 +402,7 @@ int c4iw_rqtpool_create(struct c4iw_rdev
+ 
+ void c4iw_rqtpool_destroy(struct c4iw_rdev *rdev)
+ {
+-	gen_pool_destroy(rdev->rqt_pool);
++	kref_put(&rdev->rqt_kref, destroy_rqtpool);
+ }
+ 
+ /*
diff --git a/queue-4.14/rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch b/queue-4.14/rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch
new file mode 100644
index 00000000000..ada4b94f9d0
--- /dev/null
+++ b/queue-4.14/rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch
@@ -0,0 +1,36 @@
+From 4f9ca2d8686ecfdd40ca4f0294a3d94f83f05cea Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Thu, 26 Apr 2018 15:37:48 +0300
+Subject: RDMA/mlx4: Add missed RSS hash inner header flag
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 4f9ca2d8686ecfdd40ca4f0294a3d94f83f05cea upstream.
+
+Despite being advertised to user space application, the RSS inner
+header flag was filtered by checks at the beginning of QP creation
+routine.
+
+Cc: <stable@vger.kernel.org> # 4.15
+Fixes: 4d02ebd9bbbd ("IB/mlx4: Fix RSS hash fields restrictions")
+Fixes: 07d84f7b6adf ("IB/mlx4: Add support to RSS hash for inner headers")
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx4/qp.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/infiniband/hw/mlx4/qp.c
++++ b/drivers/infiniband/hw/mlx4/qp.c
+@@ -673,7 +673,8 @@ static int set_qp_rss(struct mlx4_ib_dev
+ 					  MLX4_IB_RX_HASH_SRC_PORT_TCP	|
+ 					  MLX4_IB_RX_HASH_DST_PORT_TCP	|
+ 					  MLX4_IB_RX_HASH_SRC_PORT_UDP	|
+-					  MLX4_IB_RX_HASH_DST_PORT_UDP)) {
++					  MLX4_IB_RX_HASH_DST_PORT_UDP  |
++					  MLX4_IB_RX_HASH_INNER)) {
+ 		pr_debug("RX Hash fields_mask has unsupported mask (0x%llx)\n",
+ 			 ucmd->rx_hash_fields_mask);
+ 		return (-EOPNOTSUPP);
diff --git a/queue-4.14/rdma-mlx5-fix-multiple-null-ptr-deref-errors-in-rereg_mr-flow.patch b/queue-4.14/rdma-mlx5-fix-multiple-null-ptr-deref-errors-in-rereg_mr-flow.patch
new file mode 100644
index 00000000000..67712f3f6df
--- /dev/null
+++ b/queue-4.14/rdma-mlx5-fix-multiple-null-ptr-deref-errors-in-rereg_mr-flow.patch
@@ -0,0 +1,107 @@
+From b4bd701ac469075d94ed9699a28755f2862252b9 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:52 +0300
+Subject: RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit b4bd701ac469075d94ed9699a28755f2862252b9 upstream.
+
+Failure in rereg MR releases UMEM but leaves the MR to be destroyed
+by the user. As a result the following scenario may happen:
+"create MR -> rereg MR with failure -> call to rereg MR again" and
+hit "NULL-ptr deref or user memory access" errors.
+
+Ensure that rereg MR is only performed on a non-dead MR.
+
+Cc: syzkaller <syzkaller@googlegroups.com>
+Cc: <stable@vger.kernel.org> # 4.5
+Fixes: 395a8e4c32ea ("IB/mlx5: Refactoring register MR code")
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/mr.c |   32 +++++++++++++++++++++++---------
+ 1 file changed, 23 insertions(+), 9 deletions(-)
+
+--- a/drivers/infiniband/hw/mlx5/mr.c
++++ b/drivers/infiniband/hw/mlx5/mr.c
+@@ -833,25 +833,28 @@ static int mr_umem_get(struct ib_pd *pd,
+ 		       int *order)
+ {
+ 	struct mlx5_ib_dev *dev = to_mdev(pd->device);
++	struct ib_umem *u;
+ 	int err;
+ 
+-	*umem = ib_umem_get(pd->uobject->context, start, length,
+-			    access_flags, 0);
+-	err = PTR_ERR_OR_ZERO(*umem);
++	*umem = NULL;
++
++	u = ib_umem_get(pd->uobject->context, start, length, access_flags, 0);
++	err = PTR_ERR_OR_ZERO(u);
+ 	if (err) {
+-		*umem = NULL;
+-		mlx5_ib_err(dev, "umem get failed (%d)\n", err);
++		mlx5_ib_dbg(dev, "umem get failed (%d)\n", err);
+ 		return err;
+ 	}
+ 
+-	mlx5_ib_cont_pages(*umem, start, MLX5_MKEY_PAGE_SHIFT_MASK, npages,
++	mlx5_ib_cont_pages(u, start, MLX5_MKEY_PAGE_SHIFT_MASK, npages,
+ 			   page_shift, ncont, order);
+ 	if (!*npages) {
+ 		mlx5_ib_warn(dev, "avoid zero region\n");
+-		ib_umem_release(*umem);
++		ib_umem_release(u);
+ 		return -EINVAL;
+ 	}
+ 
++	*umem = u;
++
+ 	mlx5_ib_dbg(dev, "npages %d, ncont %d, order %d, page_shift %d\n",
+ 		    *npages, *ncont, *order, *page_shift);
+ 
+@@ -1340,13 +1343,12 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *
+ 	int access_flags = flags & IB_MR_REREG_ACCESS ?
+ 			    new_access_flags :
+ 			    mr->access_flags;
+-	u64 addr = (flags & IB_MR_REREG_TRANS) ? virt_addr : mr->umem->address;
+-	u64 len = (flags & IB_MR_REREG_TRANS) ? length : mr->umem->length;
+ 	int page_shift = 0;
+ 	int upd_flags = 0;
+ 	int npages = 0;
+ 	int ncont = 0;
+ 	int order = 0;
++	u64 addr, len;
+ 	int err;
+ 
+ 	mlx5_ib_dbg(dev, "start 0x%llx, virt_addr 0x%llx, length 0x%llx, access_flags 0x%x\n",
+@@ -1354,6 +1356,17 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *
+ 
+ 	atomic_sub(mr->npages, &dev->mdev->priv.reg_pages);
+ 
++	if (!mr->umem)
++		return -EINVAL;
++
++	if (flags & IB_MR_REREG_TRANS) {
++		addr = virt_addr;
++		len = length;
++	} else {
++		addr = mr->umem->address;
++		len = mr->umem->length;
++	}
++
+ 	if (flags != IB_MR_REREG_PD) {
+ 		/*
+ 		 * Replace umem. This needs to be done whether or not UMR is
+@@ -1361,6 +1374,7 @@ int mlx5_ib_rereg_user_mr(struct ib_mr *
+ 		 */
+ 		flags |= IB_MR_REREG_TRANS;
+ 		ib_umem_release(mr->umem);
++		mr->umem = NULL;
+ 		err = mr_umem_get(pd, addr, len, access_flags, &mr->umem,
+ 				  &npages, &page_shift, &ncont, &order);
+ 		if (err < 0) {
diff --git a/queue-4.14/rdma-mlx5-protect-from-shift-operand-overflow.patch b/queue-4.14/rdma-mlx5-protect-from-shift-operand-overflow.patch
new file mode 100644
index 00000000000..ec88c1ef677
--- /dev/null
+++ b/queue-4.14/rdma-mlx5-protect-from-shift-operand-overflow.patch
@@ -0,0 +1,62 @@
+From 002bf2282b2d7318e444dca9ffcb994afc5d5f15 Mon Sep 17 00:00:00 2001
+From: Leon Romanovsky <leonro@mellanox.com>
+Date: Mon, 23 Apr 2018 17:01:53 +0300
+Subject: RDMA/mlx5: Protect from shift operand overflow
+
+From: Leon Romanovsky <leonro@mellanox.com>
+
+commit 002bf2282b2d7318e444dca9ffcb994afc5d5f15 upstream.
+
+Ensure that user didn't supply values too large that can cause overflow.
+
+UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/qp.c:263:23
+shift exponent -2147483648 is negative
+CPU: 0 PID: 292 Comm: syzkaller612609 Not tainted 4.16.0-rc1+ #131
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014 Call
+Trace:
+dump_stack+0xde/0x164
+ubsan_epilogue+0xe/0x81
+set_rq_size+0x7c2/0xa90
+create_qp_common+0xc18/0x43c0
+mlx5_ib_create_qp+0x379/0x1ca0
+create_qp.isra.5+0xc94/0x2260
+ib_uverbs_create_qp+0x21b/0x2a0
+ib_uverbs_write+0xc2c/0x1010
+vfs_write+0x1b0/0x550
+SyS_write+0xc7/0x1a0
+do_syscall_64+0x1aa/0x740
+entry_SYSCALL_64_after_hwframe+0x26/0x9b
+RIP: 0033:0x433569
+RSP: 002b:00007ffc6e62f448 EFLAGS: 00000217 ORIG_RAX: 0000000000000001
+RAX: ffffffffffffffda RBX: 00000000004002f8 RCX: 0000000000433569
+RDX: 0000000000000070 RSI: 00000000200042c0 RDI: 0000000000000003
+RBP: 00000000006d5018 R08: 00000000004002f8 R09: 00000000004002f8
+R10: 00000000004002f8 R11: 0000000000000217 R12: 0000000000000000
+R13: 000000000040c9f0 R14: 000000000040ca80 R15: 0000000000000006
+
+Cc: <stable@vger.kernel.org> # 3.10
+Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters")
+Cc: syzkaller <syzkaller@googlegroups.com>
+Reported-by: Noa Osherovich <noaos@mellanox.com>
+Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/hw/mlx5/qp.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/infiniband/hw/mlx5/qp.c
++++ b/drivers/infiniband/hw/mlx5/qp.c
+@@ -256,7 +256,11 @@ static int set_rq_size(struct mlx5_ib_de
+ 	} else {
+ 		if (ucmd) {
+ 			qp->rq.wqe_cnt = ucmd->rq_wqe_count;
++			if (ucmd->rq_wqe_shift > BITS_PER_BYTE * sizeof(ucmd->rq_wqe_shift))
++				return -EINVAL;
+ 			qp->rq.wqe_shift = ucmd->rq_wqe_shift;
++			if ((1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) < qp->wq_sig)
++				return -EINVAL;
+ 			qp->rq.max_gs = (1 << qp->rq.wqe_shift) / sizeof(struct mlx5_wqe_data_seg) - qp->wq_sig;
+ 			qp->rq.max_post = qp->rq.wqe_cnt;
+ 		} else {
diff --git a/queue-4.14/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch b/queue-4.14/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
new file mode 100644
index 00000000000..308a1045b87
--- /dev/null
+++ b/queue-4.14/rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
@@ -0,0 +1,39 @@
+From 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Thu, 19 Apr 2018 08:28:11 -0700
+Subject: RDMA/ucma: Allow resolving address w/o specifying source address
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit 09abfe7b5b2f442a85f4c4d59ecf582ad76088d7 upstream.
+
+The RDMA CM will select a source device and address by consulting
+the routing table if no source address is passed into
+rdma_resolve_address().  Userspace will ask for this by passing an
+all-zero source address in the RESOLVE_IP command.  Unfortunately
+the new check for non-zero address size rejects this with EINVAL,
+which breaks valid userspace applications.
+
+Fix this by explicitly allowing a zero address family for the source.
+
+Fixes: 2975d5de6428 ("RDMA/ucma: Check AF family prior resolving address")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/infiniband/core/ucma.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/infiniband/core/ucma.c
++++ b/drivers/infiniband/core/ucma.c
+@@ -678,7 +678,7 @@ static ssize_t ucma_resolve_ip(struct uc
+ 	if (copy_from_user(&cmd, inbuf, sizeof(cmd)))
+ 		return -EFAULT;
+ 
+-	if (!rdma_addr_size_in6(&cmd.src_addr) ||
++	if ((cmd.src_addr.sin6_family && !rdma_addr_size_in6(&cmd.src_addr)) ||
+ 	    !rdma_addr_size_in6(&cmd.dst_addr))
+ 		return -EINVAL;
+ 
diff --git a/queue-4.14/rtlwifi-cleanup-8723be-ant_sel-definition.patch b/queue-4.14/rtlwifi-cleanup-8723be-ant_sel-definition.patch
new file mode 100644
index 00000000000..ba88e2b53b5
--- /dev/null
+++ b/queue-4.14/rtlwifi-cleanup-8723be-ant_sel-definition.patch
@@ -0,0 +1,146 @@
+From af8a41cccf8f469165c6debc8fe07c5fd2ca501a Mon Sep 17 00:00:00 2001
+From: Ping-Ke Shih <pkshih@realtek.com>
+Date: Fri, 20 Apr 2018 10:30:09 +0800
+Subject: rtlwifi: cleanup 8723be ant_sel definition
+
+From: Ping-Ke Shih <pkshih@realtek.com>
+
+commit af8a41cccf8f469165c6debc8fe07c5fd2ca501a upstream.
+
+Some HP laptops have only a single wifi antenna. This would not be a
+problem except that they were shipped with an incorrectly encoded
+EFUSE. It should have been possible to open the computer and transfer
+the antenna connection to the other terminal except that such action
+might void the warranty, and moving the antenna broke the Windows
+driver. The fix was to add a module option that would override the
+EFUSE encoding. That was done with commit c18d8f509571 ("rtlwifi:
+rtl8723be: Add antenna select module parameter"). There was still a
+problem with Bluetooth coexistence, which was addressed with commit
+baa170229095 ("rtlwifi: btcoexist: Implement antenna selection").
+There were still problems, thus there were commit 0ff78adeef11
+("rtlwifi: rtl8723be: fix ant_sel code") and commit 6d6226928369
+("rtlwifi: btcoexist: Fix antenna selection code"). Despite all these
+attempts at fixing the problem, the code is not yet right. A proper
+fix is important as there are now instances of laptops having
+RTL8723DE chips with the same problem.
+
+The module parameter ant_sel is used to control antenna number and path.
+At present enum ANT_{X2,X1} is used to define the antenna number, but
+this choice is not intuitive, thus change to a new enum ANT_{MAIN,AUX}
+to make it more readable. This change showed examples where incorrect
+values were used. It was also possible to remove a workaround in
+halbtcoutsrc.c.
+
+The experimental results with single antenna connected to specific path
+are now as follows:
+  ant_sel  ANT_MAIN(#1)  ANT_AUX(#2)
+     0        -8            -62
+     1        -62           -10
+     2        -6            -60
+
+Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
+Fixes: c18d8f509571 ("rtlwifi: rtl8723be: Add antenna select module parameter")
+Fixes: baa170229095 ("rtlwifi: btcoexist: Implement antenna selection")
+Fixes: 0ff78adeef11 ("rtlwifi: rtl8723be: fix ant_sel code")
+Fixes: 6d6226928369 ("rtlwifi: btcoexist: Fix antenna selection code")
+Cc: Stable <stable@vger.kernel.org> # 4.7+
+Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c |   15 ----------
+ drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c           |   11 ++++---
+ drivers/net/wireless/realtek/rtlwifi/wifi.h                   |    5 +++
+ 3 files changed, 12 insertions(+), 19 deletions(-)
+
+--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
++++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
+@@ -173,16 +173,6 @@ static u8 halbtc_get_wifi_central_chnl(s
+ 
+ u8 rtl_get_hwpg_single_ant_path(struct rtl_priv *rtlpriv)
+ {
+-	struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params;
+-
+-	/* override ant_num / ant_path */
+-	if (mod_params->ant_sel) {
+-		rtlpriv->btcoexist.btc_info.ant_num =
+-			(mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1);
+-
+-		rtlpriv->btcoexist.btc_info.single_ant_path =
+-			(mod_params->ant_sel == 1 ? 0 : 1);
+-	}
+ 	return rtlpriv->btcoexist.btc_info.single_ant_path;
+ }
+ 
+@@ -193,7 +183,6 @@ u8 rtl_get_hwpg_bt_type(struct rtl_priv
+ 
+ u8 rtl_get_hwpg_ant_num(struct rtl_priv *rtlpriv)
+ {
+-	struct rtl_mod_params *mod_params = rtlpriv->cfg->mod_params;
+ 	u8 num;
+ 
+ 	if (rtlpriv->btcoexist.btc_info.ant_num == ANT_X2)
+@@ -201,10 +190,6 @@ u8 rtl_get_hwpg_ant_num(struct rtl_priv
+ 	else
+ 		num = 1;
+ 
+-	/* override ant_num / ant_path */
+-	if (mod_params->ant_sel)
+-		num = (mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1) + 1;
+-
+ 	return num;
+ }
+ 
+--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/hw.c
+@@ -846,6 +846,9 @@ static bool _rtl8723be_init_mac(struct i
+ 		return false;
+ 	}
+ 
++	if (rtlpriv->cfg->ops->get_btc_status())
++		rtlpriv->btcoexist.btc_ops->btc_power_on_setting(rtlpriv);
++
+ 	bytetmp = rtl_read_byte(rtlpriv, REG_MULTI_FUNC_CTRL);
+ 	rtl_write_byte(rtlpriv, REG_MULTI_FUNC_CTRL, bytetmp | BIT(3));
+ 
+@@ -2696,21 +2699,21 @@ void rtl8723be_read_bt_coexist_info_from
+ 		rtlpriv->btcoexist.btc_info.bt_type = BT_RTL8723B;
+ 		rtlpriv->btcoexist.btc_info.ant_num = (value & 0x1);
+ 		rtlpriv->btcoexist.btc_info.single_ant_path =
+-			 (value & 0x40);	/*0xc3[6]*/
++			 (value & 0x40 ? ANT_AUX : ANT_MAIN);	/*0xc3[6]*/
+ 	} else {
+ 		rtlpriv->btcoexist.btc_info.btcoexist = 0;
+ 		rtlpriv->btcoexist.btc_info.bt_type = BT_RTL8723B;
+ 		rtlpriv->btcoexist.btc_info.ant_num = ANT_X2;
+-		rtlpriv->btcoexist.btc_info.single_ant_path = 0;
++		rtlpriv->btcoexist.btc_info.single_ant_path = ANT_MAIN;
+ 	}
+ 
+ 	/* override ant_num / ant_path */
+ 	if (mod_params->ant_sel) {
+ 		rtlpriv->btcoexist.btc_info.ant_num =
+-			(mod_params->ant_sel == 1 ? ANT_X2 : ANT_X1);
++			(mod_params->ant_sel == 1 ? ANT_X1 : ANT_X2);
+ 
+ 		rtlpriv->btcoexist.btc_info.single_ant_path =
+-			(mod_params->ant_sel == 1 ? 0 : 1);
++			(mod_params->ant_sel == 1 ? ANT_AUX : ANT_MAIN);
+ 	}
+ }
+ 
+--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
++++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
+@@ -2707,6 +2707,11 @@ enum bt_ant_num {
+ 	ANT_X1 = 1,
+ };
+ 
++enum bt_ant_path {
++	ANT_MAIN = 0,
++	ANT_AUX = 1,
++};
++
+ enum bt_co_type {
+ 	BT_2WIRE = 0,
+ 	BT_ISSC_3WIRE = 1,
diff --git a/queue-4.14/scsi-target-fix-fortify_panic-kernel-exception.patch b/queue-4.14/scsi-target-fix-fortify_panic-kernel-exception.patch
new file mode 100644
index 00000000000..a9b3d43cd9e
--- /dev/null
+++ b/queue-4.14/scsi-target-fix-fortify_panic-kernel-exception.patch
@@ -0,0 +1,74 @@
+From f5957dade4f373b04fa1f5315a489f18cc2c4cb4 Mon Sep 17 00:00:00 2001
+From: Bryant G Ly <bryantly@linux.vnet.ibm.com>
+Date: Tue, 17 Apr 2018 10:33:21 -0500
+Subject: scsi: target: Fix fortify_panic kernel exception
+
+From: Bryant G Ly <bryantly@linux.vnet.ibm.com>
+
+commit f5957dade4f373b04fa1f5315a489f18cc2c4cb4 upstream.
+
+memcmp() requires the two buffers passed as arguments to be at least
+'size' bytes long, otherwise a fortify_panic will trigger.
+
+Use memchr_inv() instead of memcmp() to determine whether the received
+payload is zeroed or not.
+
+The bug was found by running a block backstore via LIO.
+
+[  496.212958] Call Trace:
+[  496.212960] [c0000007e58e3800] [c000000000cbbefc] fortify_panic+0x24/0x38 (unreliable)
+[  496.212965] [c0000007e58e3860] [d00000000f150c28] iblock_execute_write_same+0x3b8/0x3c0 [target_core_iblock]
+[  496.212976] [c0000007e58e3910] [d000000006c737d4] __target_execute_cmd+0x54/0x150 [target_core_mod]
+[  496.212982] [c0000007e58e3940] [d000000006d32ce4] ibmvscsis_write_pending+0x74/0xe0 [ibmvscsis]
+[  496.212991] [c0000007e58e39b0] [d000000006c74fc8] transport_generic_new_cmd+0x318/0x370 [target_core_mod]
+[  496.213001] [c0000007e58e3a30] [d000000006c75084] transport_handle_cdb_direct+0x64/0xd0 [target_core_mod]
+[  496.213011] [c0000007e58e3aa0] [d000000006c75298] target_submit_cmd_map_sgls+0x1a8/0x320 [target_core_mod]
+[  496.213021] [c0000007e58e3b30] [d000000006c75458] target_submit_cmd+0x48/0x60 [target_core_mod]
+[  496.213026] [c0000007e58e3bd0] [d000000006d34c20] ibmvscsis_scheduler+0x370/0x600 [ibmvscsis]
+[  496.213031] [c0000007e58e3c90] [c00000000013135c] process_one_work+0x1ec/0x580
+[  496.213035] [c0000007e58e3d20] [c000000000131798] worker_thread+0xa8/0x600
+[  496.213039] [c0000007e58e3dc0] [c00000000013a468] kthread+0x168/0x1b0
+[  496.213044] [c0000007e58e3e30] [c00000000000b528] ret_from_kernel_thread+0x5c/0xb4
+
+[mkp: tweaked commit message]
+
+Fixes: 2237498f0b5c ("target/iblock: Convert WRITE_SAME to blkdev_issue_zeroout")
+Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
+Reviewed-by: Steven Royer <seroyer@linux.vnet.ibm.com>
+Tested-by: Taylor Jakobson <tjakobs@us.ibm.com>
+Cc: Christoph Hellwig <hch@lst.de>
+Cc: Nicholas Bellinger <nab@linux-iscsi.org>
+Cc: <stable@vger.kernel.org> # v4.13+
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_iblock.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/target/target_core_iblock.c
++++ b/drivers/target/target_core_iblock.c
+@@ -427,8 +427,8 @@ iblock_execute_zero_out(struct block_dev
+ {
+ 	struct se_device *dev = cmd->se_dev;
+ 	struct scatterlist *sg = &cmd->t_data_sg[0];
+-	unsigned char *buf, zero = 0x00, *p = &zero;
+-	int rc, ret;
++	unsigned char *buf, *not_zero;
++	int ret;
+ 
+ 	buf = kmap(sg_page(sg)) + sg->offset;
+ 	if (!buf)
+@@ -437,10 +437,10 @@ iblock_execute_zero_out(struct block_dev
+ 	 * Fall back to block_execute_write_same() slow-path if
+ 	 * incoming WRITE_SAME payload does not contain zeros.
+ 	 */
+-	rc = memcmp(buf, p, cmd->data_length);
++	not_zero = memchr_inv(buf, 0x00, cmd->data_length);
+ 	kunmap(sg_page(sg));
+ 
+-	if (rc)
++	if (not_zero)
+ 		return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ 
+ 	ret = blkdev_issue_zeroout(bdev,
diff --git a/queue-4.14/series b/queue-4.14/series
index 2b9fce7ea13..3dea4e1e484 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -2,3 +2,22 @@ percpu-include-linux-sched.h-for-cond_resched.patch
 crypto-talitos-fix-ipsec-cipher-in-length.patch
 acpi-button-make-module-loadable-when-booted-in-non-acpi-mode.patch
 usb-serial-option-add-support-for-quectel-ep06.patch
+alsa-hda-fix-incorrect-usage-of-is_reachable.patch
+alsa-pcm-check-pcm-state-at-xfern-compat-ioctl.patch
+alsa-seq-fix-races-at-midi-encoding-in-snd_virmidi_output_trigger.patch
+alsa-dice-fix-kernel-null-pointer-dereference-due-to-invalid-calculation-for-array-index.patch
+alsa-aloop-mark-paused-device-as-inactive.patch
+alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
+tracepoint-do-not-warn-on-enomem.patch
+scsi-target-fix-fortify_panic-kernel-exception.patch
+input-leds-fix-out-of-bound-access.patch
+input-atmel_mxt_ts-add-touchpad-button-mapping-for-samsung-chromebook-pro.patch
+rtlwifi-cleanup-8723be-ant_sel-definition.patch
+xfs-prevent-creating-negative-sized-file-via-insert_range.patch
+rdma-cxgb4-release-hw-resources-on-device-removal.patch
+rdma-ucma-allow-resolving-address-w-o-specifying-source-address.patch
+rdma-mlx5-fix-multiple-null-ptr-deref-errors-in-rereg_mr-flow.patch
+rdma-mlx4-add-missed-rss-hash-inner-header-flag.patch
+rdma-mlx5-protect-from-shift-operand-overflow.patch
+net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
+ib-mlx5-use-unlimited-rate-when-static-rate-is-not-supported.patch
diff --git a/queue-4.14/tracepoint-do-not-warn-on-enomem.patch b/queue-4.14/tracepoint-do-not-warn-on-enomem.patch
new file mode 100644
index 00000000000..e5f5119b62a
--- /dev/null
+++ b/queue-4.14/tracepoint-do-not-warn-on-enomem.patch
@@ -0,0 +1,60 @@
+From d66a270be3310d7aa132fec0cea77d3d32a0ff75 Mon Sep 17 00:00:00 2001
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Date: Thu, 15 Mar 2018 08:44:24 -0400
+Subject: tracepoint: Do not warn on ENOMEM
+
+From: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+
+commit d66a270be3310d7aa132fec0cea77d3d32a0ff75 upstream.
+
+Tracepoint should only warn when a kernel API user does not respect the
+required preconditions (e.g. same tracepoint enabled twice, or called
+to remove a tracepoint that does not exist).
+
+Silence warning in out-of-memory conditions, given that the error is
+returned to the caller.
+
+This ensures that out-of-memory error-injection testing does not trigger
+warnings in tracepoint.c, which were seen by syzbot.
+
+Link: https://lkml.kernel.org/r/001a114465e241a8720567419a72@google.com
+Link: https://lkml.kernel.org/r/001a1140e0de15fc910567464190@google.com
+Link: http://lkml.kernel.org/r/20180315124424.32319-1-mathieu.desnoyers@efficios.com
+
+CC: Peter Zijlstra <peterz@infradead.org>
+CC: Jiri Olsa <jolsa@redhat.com>
+CC: Arnaldo Carvalho de Melo <acme@kernel.org>
+CC: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+CC: Namhyung Kim <namhyung@kernel.org>
+CC: stable@vger.kernel.org
+Fixes: de7b2973903c6 ("tracepoint: Use struct pointer instead of name hash for reg/unreg tracepoints")
+Reported-by: syzbot+9c0d616860575a73166a@syzkaller.appspotmail.com
+Reported-by: syzbot+4e9ae7fa46233396f64d@syzkaller.appspotmail.com
+Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/tracepoint.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/tracepoint.c
++++ b/kernel/tracepoint.c
+@@ -207,7 +207,7 @@ static int tracepoint_add_func(struct tr
+ 			lockdep_is_held(&tracepoints_mutex));
+ 	old = func_add(&tp_funcs, func, prio);
+ 	if (IS_ERR(old)) {
+-		WARN_ON_ONCE(1);
++		WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+ 		return PTR_ERR(old);
+ 	}
+ 
+@@ -240,7 +240,7 @@ static int tracepoint_remove_func(struct
+ 			lockdep_is_held(&tracepoints_mutex));
+ 	old = func_remove(&tp_funcs, func);
+ 	if (IS_ERR(old)) {
+-		WARN_ON_ONCE(1);
++		WARN_ON_ONCE(PTR_ERR(old) != -ENOMEM);
+ 		return PTR_ERR(old);
+ 	}
+ 
diff --git a/queue-4.14/xfs-prevent-creating-negative-sized-file-via-insert_range.patch b/queue-4.14/xfs-prevent-creating-negative-sized-file-via-insert_range.patch
new file mode 100644
index 00000000000..7e66eeff7c5
--- /dev/null
+++ b/queue-4.14/xfs-prevent-creating-negative-sized-file-via-insert_range.patch
@@ -0,0 +1,70 @@
+From 7d83fb14258b9961920cd86f0b921caaeb3ebe85 Mon Sep 17 00:00:00 2001
+From: "Darrick J. Wong" <darrick.wong@oracle.com>
+Date: Mon, 16 Apr 2018 23:07:45 -0700
+Subject: xfs: prevent creating negative-sized file via INSERT_RANGE
+
+From: Darrick J. Wong <darrick.wong@oracle.com>
+
+commit 7d83fb14258b9961920cd86f0b921caaeb3ebe85 upstream.
+
+During the "insert range" fallocate operation, i_size grows by the
+specified 'len' bytes.  XFS verifies that i_size + len < s_maxbytes, as
+it should.  But this comparison is done using the signed 'loff_t', and
+'i_size + len' can wrap around to a negative value, causing the check to
+incorrectly pass, resulting in an inode with "negative" i_size.  This is
+possible on 64-bit platforms, where XFS sets s_maxbytes = LLONG_MAX.
+ext4 and f2fs don't run into this because they set a smaller s_maxbytes.
+
+Fix it by using subtraction instead.
+
+Reproducer:
+    xfs_io -f file -c "truncate $(((1<<63)-1))" -c "finsert 0 4096"
+
+Fixes: a904b1ca5751 ("xfs: Add support FALLOC_FL_INSERT_RANGE for fallocate")
+Cc: <stable@vger.kernel.org> # v4.1+
+Originally-From: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+[darrick: fix signed integer addition overflow too]
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_file.c |   14 +++++++++-----
+ 1 file changed, 9 insertions(+), 5 deletions(-)
+
+--- a/fs/xfs/xfs_file.c
++++ b/fs/xfs/xfs_file.c
+@@ -811,22 +811,26 @@ xfs_file_fallocate(
+ 		if (error)
+ 			goto out_unlock;
+ 	} else if (mode & FALLOC_FL_INSERT_RANGE) {
+-		unsigned int blksize_mask = i_blocksize(inode) - 1;
++		unsigned int	blksize_mask = i_blocksize(inode) - 1;
++		loff_t		isize = i_size_read(inode);
+ 
+-		new_size = i_size_read(inode) + len;
+ 		if (offset & blksize_mask || len & blksize_mask) {
+ 			error = -EINVAL;
+ 			goto out_unlock;
+ 		}
+ 
+-		/* check the new inode size does not wrap through zero */
+-		if (new_size > inode->i_sb->s_maxbytes) {
++		/*
++		 * New inode size must not exceed ->s_maxbytes, accounting for
++		 * possible signed overflow.
++		 */
++		if (inode->i_sb->s_maxbytes - isize < len) {
+ 			error = -EFBIG;
+ 			goto out_unlock;
+ 		}
++		new_size = isize + len;
+ 
+ 		/* Offset should be less than i_size */
+-		if (offset >= i_size_read(inode)) {
++		if (offset >= isize) {
+ 			error = -EINVAL;
+ 			goto out_unlock;
+ 		}